[Freeipa-users] Generic preauthentication failure while getting initial credentials using kinit -k -t
Brian J. Murrell
brian at interlinx.bc.ca
Thu Sep 24 13:07:19 UTC 2015
On Thu, 2015-09-24 at 08:23 +0300, Alexander Bokovoy wrote:
> You need to explain what are you trying to achieve first.
Sure. It is entirely likely that I am misunderstanding what I should
be doing.
A system service needs to be able to authenticate to the service
imap/linux.example.com as a given user, so clearly that system service
cannot kinit and provide a password as a user would normally (I guess
this is what GSS-Proxy is for, FWIW).
> The sequence above:
>
> - Sets a random Kerberos key for a principal named
> asterisk at EXAMPLE.COM
OK.
> on IPA KDC and stores it to the local keytab file asterisk.keytab
Right.
> - tries to use a key for
> asterisk at EXAMPLE.COM to obtain ticket
> granting
> ticket as
> imap/linux.example.com at EXAMPE.COM
So maybe this is where I am going wrong.
> Unless imap/linux.example.com at EXAMPLE.COM
> has exactly same Kerberos key
> as asterisk at EXAMPLE.COM, the above should
> fail and it does.
So I want to put the imap/linux.example.com kerberos key into the
asterisk.keytab file such as:
ipa-getkeytab -s server.example.com -p imap/linux.example.com -k /tmp/asterisk-krb5.keytab -e aes256-cts
I probably need to brush up on my kerberos here but is that what a user
effectively does? When I, as a user do a "kinit brian" and then do a
klist (after having used my imap client) and I see:
24/09/15 09:00:28 25/09/15 06:19:42 imap/linux.example.com at EXAMPLE.COM
Does that mean that I actually have the Kerberos key for that imap/linu
x.example.com at EXAMPLE.COM
in my key cache -- the exact same key that I am going to put into the
asterisk.keytab above?
Cheers,
b.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 473 bytes
Desc: This is a digitally signed message part
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20150924/af0cba97/attachment.sig>
More information about the Freeipa-users
mailing list